GDPR: EU-US-Privacy Shield void
The European Court of Justice declared the European Commission’s Privacy Shield decision 2016/1250 invalid this morning (Press Release / Judgement).
Data transfers to the US that are based exclusively on this agreement to ensure the necessary level of data protection must therefore be discontinued. However, the Court has not declared invalid the guarantee of data protection by the EU standard contract clauses provided by the Commission. These can continue to serve as the basis for data transfers to the USA.
However, when applying the standard contract clauses for each data export to a third country, it must be examined whether the recipient really complies with the contract clauses or can do so at all. The latter can be excluded if, due to the law of the respective state, a company cannot adequately protect the data despite the contractual relationship, for example because authorities can access data from the EU without sufficient legal restrictions and legal remedies, i.e. EU citizens do not have adequate protection against such access. This is critical in the United States, since the data protection there only applies to US citizens and, for example, the NSA, but also other authorities in the United States, consequently access data on foreigners from US companies in bulk and with almost no legal limits. The latter also applies to data that US companies store in the EU but can easily retrieve.
Affected companies must therefore check their data flows to non-EU countries in detail.
Regarding the important US data processors in particular, you unfortunately have to reckon with the fact that even the standard contractual clauses do not offer a sufficient basis in the long term if the USA does not give in and changes its law. Relevant data protection associations such as GDD, BvD and industry associations as Bitkom or BVDW are already calling for a new US agreement with the EU that will really solve the existing problems after the failure of Safe Harbor and Privacy Shield. The US Department of Commerce is reviewing adjustments and stressing that the Privacy Shield Agreement as such is not yet suspended. However, the willingness of the USA to apply its own data protection law to foreigners and to respect EU data protection standards has not been that great in the past.
If no solution is found, companies with data exchange into the US could be the victims: Despite the application of the standard contractual clauses, they must always expect prohibitions and fines from the data protection authorities if, in individual cases, these believe that the contract is not sufficient to adequately protect EU citizens. It is to be hoped that the data protection authorities will give the companies time to review and adjust the data flows and to waive fines for the time being.
Your contact person for data protection at NÜMANN+SIEBERT is lawyer Peter Nümann (contact: info@nuemann-siebert.com).
